DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-30863: CVE-2026-30863: JWT Audience Validation Bypass in Parse Server Authentication Adapters

#security #cve #cybersecurity

CVE-2026-30863: JWT Audience Validation Bypass in Parse Server Authentication Adapters

Vulnerability ID: CVE-2026-30863
CVSS Score: 9.3
Published: 2026-03-09

Parse Server versions prior to 8.6.10 and 9.5.0-alpha.11 contain a critical authentication bypass vulnerability in the Google, Apple, and Facebook authentication adapters. An improper implementation of JSON Web Token (JWT) audience validation allows attackers to utilize tokens issued for third-party applications to authenticate as arbitrary users on the target server. Exploitation requires no privileges and results in full account compromise.

TL;DR

A critical logic flaw in Parse Server's third-party authentication adapters permits attackers to bypass JWT audience checks, enabling cross-application token substitution and unauthorized account access.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-287
  • Attack Vector: Network
  • CVSS v4.0: 9.3 (Critical)
  • EPSS Score: 0.00066
  • Impact: High Confidentiality, High Integrity
  • Exploit Status: Proof of Concept (PoC) Available
  • KEV Status: Not Listed

Affected Systems

  • Parse Server Node.js Backend
  • Parse Server Google Authentication Adapter
  • Parse Server Apple Authentication Adapter
  • Parse Server Facebook Authentication Adapter
  • parse-server: < 8.6.10 (Fixed in: 8.6.10)
  • parse-server: < 9.5.0-alpha.11 (Fixed in: 9.5.0-alpha.11)

Exploit Details

  • GitHub: Proof of Concept demonstrating JWT audience validation bypass in Parse Server.

Mitigation Strategies

  • Upgrade Parse Server to patched versions 8.6.10 or 9.5.0-alpha.11.
  • Enforce explicit configuration of clientId for Apple and Google adapters.
  • Monitor authentication endpoints for token audience mismatches.

Remediation Steps:

  1. Identify the current version of Parse Server running in the environment.
  2. Update the parse-server dependency in package.json to ^8.6.10 or later.
  3. Execute npm install or yarn install to apply the updated package.
  4. Verify that clientId and appIds are explicitly defined in the initialization options for all configured authentication adapters.
  5. Restart the Parse Server process and validate authentication flows.

References

Read the full report for CVE-2026-30863 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)